b'           SEMIANNUAL\n           REPORT\n\n           October 1, 2011 \xe2\x80\x93\n           March 31, 2012\n\n\n\n\nMay 2012                   OIG-12-4\n\x0c                                                United States Government Accountability Office\n\n\nMemorandum\nDate:         May 24, 2012\n\nTo:           Comptroller General Gene L. Dodaro\n\nFrom:         Inspector General Frances Garcia\n\nSubject:      Semiannual Report\xe2\x80\x94October 1, 2011, through March 31, 2012\n\n\nIn accordance with Section 5 of the Government Accountability Office Act of 2008\n(GAO Act), I am pleased to submit the Office of the Inspector General (OIG) semiannual\nreport for the 6-month period ending March 31, 2012, for your comments and its\ntransmission to the Congress.\n\nDuring this period, we have continued in our efforts to meet our statutory mandate to\npromote economy, efficiency, and effectiveness at GAO. For example, the OIG continued to\nprovide reasonable assurance that our quality control framework of policies and procedures\nrelated to generally accepted government auditing standards and the Council of the\nInspectors General on Integrity and Efficiency (CIGIE) standards are suitably designed and\noperating effectively. Further, the OIG completed an internal inspection of the OIG\xe2\x80\x99s system\nof quality control for the work completed during the fiscal year that ended September 30,\n2010. In addition, we completed a review of the closed investigations case files for fiscal\nyears 2010 and 2011 in an effort to determine the level of conformity with the standards\nadopted in the Council of the Inspectors General on Integrity and Efficiency Quality\nStandards for Investigations.1 The results of the internal inspection and review concluded\nthat, for the periods indicated, the OIG generally complied with prescribed quality standards\nfor audit, inspection, and investigative work performed during fiscal years 2010 and 2011.\n\nWe have continued our efforts to strengthen our quality control system through a number of\nactions taken or in progress in response to recommendations resulting from the internal\ninspection and review. Due to the increasing number and nature of complaints, we hired a\ncriminal investigator to fill a new Assistant Inspector General for Investigations (AIGI)\nposition. The AIGI is responsible for overseeing the OIG hotline complaint process and\nindependently planning and conducting investigations of allegations of fraud, abuse, and\nother deficiencies relating to GAO. In addition, the AIGI is responsible for continuing our\nefforts to strengthen our system of quality control for investigations. Actions planned and\ntaken by the AIGI regarding OIG hotline and investigative functions include reviewing and\nrevising the policies and procedures manual for investigations to help ensure compliance\nwith applicable CIGIE standards; establishing investigative and case-specific goals,\n\n\n\n\n1\n The Quality Standards for Investigations contain three general standards (qualification,\nindependence, and due professional care) and four qualitative standards (planning, execution,\nreporting, and information management).\n\n\n                                                                      OIG-12-4 Semiannual Report\n\x0cobjectives, and priorities; and exploring shared services options for implementing an\nautomated case management system for records and evidence management.\n\nActivities of the Office of the Inspector General\nAudits\n\nOn March 30, 2012, the OIG reported on GAO\xe2\x80\x99s voluntary compliance with the Federal\nInformation Security Management Act of 2002 and other federal security requirements. 2 The\nFederal Information Security Management Act of 2002 (FISMA) requires that each federal\nagency in the executive branch establish an agencywide information security management\nprogram for the information systems that support the agency\xe2\x80\x99s operations and assets. GAO\nis not obligated by law to comply with FISMA or executive branch information policies but\nhas adopted them to help ensure physical and information system security. Our evaluation\nshowed that GAO has established an overall information security program that is generally\nconsistent with the requirements of FISMA, Office of Management and Budget implementing\nguidance, and standards and guidance issued by the National Institute of Standards and\nTechnology. However, using FISMA reporting metrics for federal inspectors general, we\nidentified opportunities to improve specific elements of this program that concern\n\n    \xe2\x80\xa2    addressing information security risk from an overall agency perspective through a\n         comprehensive governance structure and organization-wide risk management\n         strategy,\n\n    \xe2\x80\xa2    remediating security weaknesses identified for agency information systems in a\n         timely manner,\n\n    \xe2\x80\xa2    building out GAO\xe2\x80\x99s Alternative Computing Facility to fully support the agency\xe2\x80\x99s\n         mission-essential functions in the event of an emergency or disaster, and\n\n    \xe2\x80\xa2    developing accurate statistics for employees and contractors completing annual\n         security awareness and role-based training.\n\nWe recommended that GAO (1) establish a comprehensive governance structure and\norganization-wide risk management strategy for the security of its information systems; (2)\nenhance accountability for, and management of, the agency\xe2\x80\x99s information security\nweakness remediation process; (3) provide senior management with adequate information\nto consider and prioritize building out the capabilities of the agency\xe2\x80\x99s Alternative Computing\nFacility; and (4) develop and implement procedures for capturing data that accurately reflect\nagency compliance with security training requirements as of the end of each fiscal year.\nGAO concurred with these recommendations. Actions taken in response to the\nrecommendations are expected to be reported to the OIG within 60 days of the report\nissuance date.\n\nIn addition, we updated our audit risk assessment of GAO programs and operations to aid in\nour development of risk-based audit work plan for fiscal year 2012. Based on the risk\nassessment and our work plan, we have ongoing work involving hiring and retention\n\n\n\n2\n GAO, Office of the Inspector General, Information Security: Evaluation of GAO\xe2\x80\x99s Program and\nPractices for Fiscal Year 2011, OIG-12-2 (Washington, D.C.: Mar. 30, 2012).\n\n\n\n\nPage 2                                                               OIG-12-4 Semiannual Report\n\x0cincentives and Contracting Officer Representative training. 3 We also participated in the\nactivities of the broader inspector general community, including the CIGIE and the quarterly\nmeetings of the Legislative Branch Inspectors General. 4\n\nInvestigations\n\nFor this reporting period, the OIG received, reviewed, and investigated complaints or\ninformation concerning the possible existence of activities constituting a violation of any law,\nrule, regulation, or mismanagement or gross waste of funds. The OIG\xe2\x80\x99s hotline continues to\nbe our primary source of complaints or information for identifying suspected fraud and other\nserious problems, abuses, and deficiencies relating to the administration of GAO\xe2\x80\x99s programs\nand operations. 5 Of the complaints received, some resulted in the opening of investigations;\nothers were referred to GAO offices, units, or other law enforcement offices for\nconsideration; and some were closed and not accepted for investigation or referral.\n\nAs shown in table 1, we had a total of 191 hotline complaints during this 6-month reporting\nperiod\xe2\x80\x94189 received during the period and 2 that were open at the start of the period. Eight\ncomplaints were closed with a referral to the appropriate GAO office because they involved\nmatters such as personnel or security. Sixty-four complaints were closed with a referral to\nFraudNet 6 because they involved matters related to the receipt, disbursement, and use of\npublic money outside of GAO. Seventy one were closed due to insufficient factual\ninformation that would warrant further investigation; 16 others were closed with a referral to\nthe appropriate agency Office of the Inspector General or law enforcement offices because\nthey concerned matters related to other federal agencies programs, operations, or\nemployees. Regarding the 10 other complaints, we converted them to full investigations. At\nthe end of the reporting period, 22 complaints remained open.\n\n\n\n\n3\n While our engagements are generally focused on areas identified in our work plan, adjustments to\nour work plan are made, as needed, in an effort to ensure we are in tune with changing conditions or\nemerging issues and are able to respond appropriately.\n4\n The six legislative branch IGs are (1) the Government Accountability Office, (2) the Architect of the\nCapitol, (3) the Government Printing Office, (4) the Library of Congress, (5) the Capitol Police, and (6)\nthe House of Representatives.\n5\n OIG has a toll-free Hotline number that is staffed by a contractor 24 hours a day, 7 days a week. The\ntoll-free number is (866) 680-7963.\n6\n  FraudNet is a governmentwide hotline operated by GAO staff that receives complaints of fraud,\nwaste, and abuse of federal funds.\n\n\n\n\nPage 3                                                                   OIG-12-4 Semiannual Report\n\x0c                                                                                                   a\nTable 1: Summary OIG Hotline Complaint Activities, October 1, 2011, through March 31, 2012\n\n Complaints open at start of this reporting period                                                     2\n New complaints received this reporting period                                                   189\n Total complaints                                                                                191\n Disposition of Complaints Received\n Complaints closed (referred to other units within GAO)                                                8\n Complaints closed (referred to FraudNet)                                                         64\n Complaints closed (insufficient information/no basis)                                            71\n Complaints closed (no jurisdiction and referred to appropriate                                   16\n agency OIG or other law enforcement offices)\n Complaints closed (converted to full investigations)                                             10\n Total complaints still open at the end of the reporting period                                   22\nSource: OIG.\na\n Complaints include inquiries and allegations received by the OIG.\n\n\nAs shown in table 2, we had 12 investigations initiated during the reporting period, 2 of\nwhich were open at the start of this 6-month reporting period; the remaining 10 were initiated\nduring the report period and included allegations related to possible contract fraud and\npossible travel and telework policy violations. Six of the investigations were closed due to\ninsufficient factual information or referred to the appropriate GAO office for review and\naction. At the end of the reporting period, 6 cases remained opened, one of which is a joint\ninvestigation being led by the Federal Bureau of Investigation.\n\n\nTable 2: Summary of OIG Investigative Activities, October 1, 2011, through March 31, 2012\n    Investigations open at the start of this reporting period                                     2\n    Investigations initiated during this reporting period                                        10\n    Total investigations                                                                         12\n    Investigations closed this reporting period (no basis or referred to\n    other GAO units for review and action)                                                        6\n    Total investigations open at the end of this reporting period                                 6\nSource: OIG.\n\n\n\nOther Activities\n\nIn addition to our audit and investigative activities, the OIG was involved in a number of\noutreach and liaison activities, including oversight of the Commission on Civil Rights, active\nparticipation in the community of federal inspectors general, monitoring GAO\xe2\x80\x99s management\nchallenges, and tracking the status of open recommendations to GAO for corrective actions\nto address identified problems. Following are highlights of these activities.\n\n\n\n\nPage 4                                                                     OIG-12-4 Semiannual Report\n\x0cOIG Commission on Civil Rights Oversight\n\nDuring this reporting period, we performed the duties and responsibilities of the IG of the\nUnited States Commission on Civil Rights (Commission). The Commission\xe2\x80\x99s IG was created\nby the Consolidated and Further Continuing Appropriations Act of 2012. 7 The duties,\nresponsibilities, and authorities of the Commission\xe2\x80\x99s Inspector General are specified in the\nInspector General Act of 1978, as amended. 8 The act further designated that the IG of GAO\nalso holds the position of IG of the Commission and directed that personnel of GAO\xe2\x80\x99s OIG\nbe utilized to perform the duties of the Inspector General for the Commission. The IG shall\nconduct audits and investigations relating to programs and operations administered or\nfinanced by the Commission and keep the Commissioners and the Congress fully informed\nconcerning fraud or other serious problems, abuses, and deficiencies identified.\n\nCouncil of the Inspectors General on Integrity and Efficiency and Legislative Branch\nInspectors General\n\nDuring this 6-month reporting period, the OIG participated in the activities of the broader\ninspector general community. For example, the OIG served as a member of the Council of\nthe Inspectors General on Integrity and Efficiency (Council), as provided under the Inspector\nGeneral Reform Act of 2008. 9 As a member, the OIG participated in the plans, programs,\nand projects of the Council and adhered to professional standards established by the\nCouncil. The OIG also participated in the Legislative Branch Inspectors General quarterly\nmeetings.\n\nInspector General\xe2\x80\x99s View of GAO\xe2\x80\x99s Management Challenges\n\nFor this reporting period, we completed a review of GAO\xe2\x80\x99s assessment of its management\nchallenges before publication of GAO\xe2\x80\x99s fiscal year 2011 Performance and Accountability\nReport. 10 The Inspector General cited this assessment in an October 27, 2011,\nmemorandum to the Comptroller General, which was published in GAO\xe2\x80\x99s fiscal year 2011\nperformance report. In our memorandum, we agreed with management\xe2\x80\x99s assessment and\ndecision to remove physical security and information security and to retain human capital\nmanagement as management challenges for fiscal year 2011. The OIG agreed that while\nimprovements have been made in GAO\xe2\x80\x99s human capital management, this area continues\nto present a management challenge for the agency as it strives to maintain an agile and\neffective workforce. In 2011, GAO identified \xe2\x80\x9cengagement efficiency\xe2\x80\x9d as a new management\nchallenge in recognition of its need to find ways to improve its efficiency in producing quality\nwork in support of the Congress within a declining resource environment. We concurred with\nGAO\xe2\x80\x99s decision to recognize the importance of these efforts by designating engagement\nefficiency as a management challenge.\n\n\n\n\n7\nPub. L. No. 122-55. 125 Stat. 552, 628 (Nov. 18, 2011).\n8\nPub. L. No. 95-452, 92 Stat. 1101 (Oct. 12, 1978), codified as amended at 5 U.S.C. App.\n9\n5 U.S.C. App. \xc2\xa7 11 (b) (1) (I).\n10\n GAO, Performance and Accountability Report\xe2\x80\x94Fiscal Year 2011, GAO-12-4SP (Washington, D.C.:\nNov. 15, 2011).\n\n\n\n\nPage 5                                                               OIG-12-4 Semiannual Report\n\x0cGAO Actions on Recommendations Made in Prior OIG Reports\n\nTimely resolution of outstanding audit recommendations continues to be a priority for both\nour office and the agency. During the semiannual reporting period, we tracked the overall\nstatus of all reports and recommendations issued by the OIG, and actions planned and\ntaken by GAO in response to OIG recommendations. For this reporting period, GAO\nundertook or continued actions to respond to 15 recommendations in six previous OIG\nreports. For the purposes of this report, a recommendation is considered open when an\naction (1) has not been taken but may be taken, (2) is in the planning stage, or (3) has been\ntaken on only part of the recommendation. In addition, a recommendation is considered\nimplemented and closed when an action has been taken that essentially meets the\nrecommendation\xe2\x80\x99s intent. Table 3 provides a brief summary of the recommendations.\n\nTable 3: Agency Actions on Recommendations Made in Prior OIG Reports, October 1, 2011,\nthrough March 31, 2012\n                                                             Status of actions planned and\nOIG audit and other                                          taken by GAO in response to the\nreports                 Recommendation                       recommendation\nSuspension and          1. Consider developing and           Recommendation closed\ndebarment procedures    adopting suspension and              GAO implemented the\n(Sept. 30, 2010)        debarment procedures.                recommendation. A policy statement\n                                                             was published in the Federal Register\n                                                             on February 13, 2012, 77 F.R. 7579-\n                                                             81, effective immediately.\nInformation Security:   2. Incorporate procedures within its Recommendation closed\nEvaluation of GAO\xe2\x80\x99s     annual systems inventory process     GAO implemented the\nProgram and Practices   that require inventory changes to be recommendations.\nfor Fiscal Year 2010,   documented and formally approved GAO established a process to\nOIG-11-3                by the Chief Information Officer and document and formally approve\n(Mar. 4, 2011)          that system interfaces be identified inventory changes.\n                        between GAO systems and those\n                        operated by other agencies and\n                        contractors.\n\n                        3. Identify and pursue additional     Recommendation closed\n                        options for obtaining assurances      GAO completed a security\n                        that certain contractor systems       assessment of certain contractor\n                        meet federal information security     systems to ensure the systems met\n                        requirements.                         federal information security\n                                                              requirements.\n\n                        4. Continue efforts to complete and   Recommendation closed\n                        document required information         GAO completed and documented\n                        security processes and procedures     required information security\n                        for all GAO-operated systems.         processes and procedures for all\n                                                              GAO operated systems.\n\n                        5. Proceed with plans to establish    Recommendation closed\n                        a security configuration scanning     GAO scanned computers for\n                        capability for GAO notebook           compliance with security\n                        computers and workstations.           configuration.\n\n                        6. Incorporate changes to the         Recommendation closed\n                        configuration management              GAO incorporated changes that\n                        process that remediate specific       addressed specific open\n                        open configuration-related            configuration-related vulnerabilities.\n                        vulnerabilities.\n\n\n\n\nPage 6                                                                OIG-12-4 Semiannual Report\n\x0c                                                                 Status of actions planned and\nOIG audit and other                                              taken by GAO in response to the\nreports                      Recommendation                      recommendation\n                             7. Ensure that access to annual     Recommendation closed\n                             role-based information security     GAO implemented new mandatory\n                             training or its equivalent is       role-based training for all contractors\n                             provided for all contractor staff   with significant information security\n                             required to take this training.     responsibilities.\nGAO management               8. Re-examine management            Recommendation closed\nchallenges and               challenges to determine whether     GAO implemented the\nperformance measures         (1) significant actions had been    recommendation. GAO\xe2\x80\x99s assessment\n(Oct. 28, 2010)              taken in the areas of physical      led to a decision to remove physical\n                             security, information security, or  security and information security and\n                             human capital to justify removal of to retain human capital management\n                             any of these management             as management challenges for fiscal\n                             challenges and (2) other risks have year 2011. GAO identified\n                             emerged that may warrant            \xe2\x80\x9cengagement efficiency\xe2\x80\x9d as a new\n                             designation as GAO management management challenge in recognition\n                             challenges.                         of its need to find ways to improve its\n                                                                 efficiency in producing quality work in\n                                                                 support of the Congress within a\n                                                                 declining resource environment.\nInformation Security:        9-10. Continue efforts to implement Recommendations open\nEvaluation of GAO\xe2\x80\x99s          additional requirements for the     GAO plans to implement additional\nInformation Security         agency\xe2\x80\x99s privacy program.           requirements after a privacy rule and\nProgram and Practices                                            order are finalized.\nfor Fiscal Year 2009,\nOIG-10-3 (Jan. 4, 2010)\nMatter for management        11. Consider the desirability and       Recommendation open\nconsideration regarding      feasibility of expanding oversight of   GAO plans to provide documentation\nTiny Findings Inc.           Tiny Findings Inc. in a manner          of agreements and new\n(Mar. 24, 2011)              similar to the oversight provided by    memorandums of agreement. GAO\n                             the General Services                    also plans to provide an update on\n                             Administration for child-care           efforts to be accredited by the\n                             facilities in other federal office      National Association for the\n                             buildings.                              Education of Young Children.\nInternal controls            12-15. Improve monitoring of the        Recommendation closed\nregarding telework,          telework program.                       GAO developed and implemented\nofficial duty station, and                                           procedures to monitor transit benefits.\ntransit benefits\n(July 18, 2011)                                                      Recommendations open\n                                                                     GAO developed and implemented a\n                                                                     telework communications strategy to\n                                                                     explain and/or remind staff of the\n                                                                     telework policy and available program\n                                                                     resources. On January 31, 2012,\n                                                                     GAO published in GAO Notices an\n                                                                     announcement of a proposed change\n                                                                     regarding its telework order. The\n                                                                     period for comments by GAO\n                                                                     employees closed on March 2, 2012.\nSource: OIG.\n\n\n\n\nPage 7                                                                       OIG-12-4 Semiannual Report\n\x0cI provided GAO with a draft of this report for review and comment. The agency provided\ntechnical comments that we incorporated, as appropriate.\n\nI want to thank GAO\xe2\x80\x99s Executive Committee, managers, and staff for their cooperation\nduring our reviews. The OIG\xe2\x80\x99s team of dedicated professionals remains committed to\nhelping GAO improve the services it provides American taxpayers; the accomplishments\nreported in this letter are the direct results of their efforts.\n\ncc: Patricia A. Dalton, Chief Operating Officer, GAO\n    Lynn H. Gibson, General Counsel, GAO\n    David M. Fisher, Chief Administrative Officer/Chief Financial Officer, GAO\n    GAO\xe2\x80\x99s Audit Advisory Committee\n\n\n\n\n(999818)\n\n\n\n\nPage 8                                                           OIG-12-4 Semiannual Report\n\x0c                      To report fraud, waste, and abuse in GAO\xe2\x80\x99s internal operations, do one of\nReporting Fraud,      the following. (You may do so anonymously.)\nWaste, and Abuse in\n                      \xe2\x80\xa2   Call toll-free (866) 680-7963 to speak with a hotline specialist,\nGAO\xe2\x80\x99s Internal            available 24 hours a day, 7 days a week.\nOperations\n                      \xe2\x80\xa2   Online at https://oig.alertline.com.\n\n                      To obtain copies of OIG reports and testimony, go to GAO\xe2\x80\x99s Web site:\nObtaining Copies of   www.gao.gov/about/workforce/ig.html.\nOIG Reports and\nTestimony\n\n                      Katherine Siggerud, Managing Director, siggerudk@gao.gov,\nCongressional         (202) 512-4400, U.S. Government Accountability Office, 441 G Street\nRelations             NW, Room 7125, Washington, DC 20548\n\n                      Chuck Young, Managing Director, youngc1@gao.gov, (202) 512-4800\nPublic Affairs        U.S. Government Accountability Office, 441 G Street NW, Room 7149,\n                      Washington, DC 20548\n\n\n\n\n                      This is a work of the U.S. government and is not subject to copyright protection in the\n                      United States. The published product may be reproduced and distributed in its entirety\n                      without further permission from GAO. However, because this work may contain\n                      copyrighted images or other material, permission from the copyright holder may be\n                      necessary if you wish to reproduce this material separately.\n\x0c'